recursive-privilege-change
The named maintainer script appears to call chmod
or
chown
with a --recursive
/-R
argument, or
it uses find(1)
with similar intent.
All such uses are vulnerable to hardlink attacks on mainline (i.e.
non-Debian) kernels that do not set fs.protected_hardlinks=1
.
The security risk arises when when a non-privileged user set links
to files they do not own, such as such as /etc/shadow
or
files in /var/lib/dpkg/
. A superuser's recursive call to
chown
or chmod
on behalf of a role user account
would then modify the non-owned files in ways that allow the
non-privileged user to manipulate them later.
There are several ways to mitigate the issue in maintainer scripts:
- For a static role user, please call
chown
at build time and not during the installation. - If that is too complicated, use
runuser(1)
in the relevant build parts to create files with correct ownership. - Given a static list of files to change, use non-recursive calls
for each file. (Please do not generate the list with
find
.)
For more information please consult:
- Bug#895597
- Bug#889060
- Bug#889488
- the runuser(1) manual page
The tag is present in Lintian version 2.114.163
.
That is the most recent version we know about.
We use semantic versions.
The patch number is a commit step indicator relative to the
2.114.0
release tag in our Git
repository.
You can find the detection logic for this version at commit fd97859. For merge requests, please use the latest version in the Lintian check scripts.
Visibility: warning
- maintainer-script-should-not-use-recursive-chown-or-chmod